Software, Tech News, Technology

News: Dyre Banking Trojan gathers pace


Image: safe6 from keyservice.kiev.uaThe malware, also called Dyreza, designed to bypass SSL and steal login credentials, is prompting sofware vendors to email clients a “not us, guv” denial.

The Dyre banking trojan which was reported at the start of the Summer (source article: Security Researchers Warn of New Dyre Banking Trojan (eSecurityplanet) by Jeff Goldman, June 20, 2014) appears to be gathering pace such companies such as Salesforce this week felt compelled to mass-mail customers to tell them there is no specific vulnerability in their software.

Rather the Dyre or Dyreza trojan is designed to bypass SSL protection and steal banking credentials.

Delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice” the attack emails links to zip files on LogMeIn’s Cubby.com file storage service. Opening the zip file installs the malware, which  then monitors all of the victim’s browser traffic, including SSL traffic and inserts itself in the stream, redirecting supposedly encrypted SSL traffic to its own page.

Using a technique called browser hooking, Dyre intercepts the un-encrypted traffic which it can then record  and scan for financial details.

Apparently sufficient scare stories have spread over the Summer that Saleforce needed to point out that its software has not been compromised but does not go so far as to say “its you, dummy!” Which would be of more use, since Dyre relies entirely on social engineering of human beings for it’s attack vector. If no one felt the need to open suspect emails and click on unsolicited links, without checking or scanning them first, this kind of malware would sit uselessly on the servers.

Security site PhishMe recommends taking the following five steps to mitigate the threat from Dyre:

1. Remove the phishing emails from inboxes
2. Check proxy logs for traffic to Cubby, downloading zip files containing the name “documents” or “invoice”
3. Search for traffic / block the IPs 85.25.148.6, 217.12.207.151, and 192.99.6.61
4. IDS rules looking for double POST within a short period of time (this will catch copycats, too)
5. Look for zip files containing .exe or .scr files (Web, IDS, host-based, etc)

However, repeatedly hitting users over the head with a printout of “its you, dummy! Do NOT open suspect emails, DO NOT click on unsolicited links, CHECK and SCAN all downloads before opening” wrapped around a length of two by four until they remember some basic email security rules – that MIGHT, just might have an effect. AJS

About Allan J. Smithie

Allan J. Smithie is a journalist and commentator based in Dubai.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter Updates

Follow us on Twitter @EverythingExpre

Find Us on Facebook

Enter your email address to follow this blog and receive notifications of new posts by email.

Categories

Library

BBC World News

BBC World News
Opens the BBC World News page.
%d bloggers like this: